# Centralized logging and monitoring
<a name="logging-monitoring"></a>

Organizations often create dedicated AWS accounts for centralized logging and monitoring purposes. These accounts are used to collect and store logs from various AWS accounts and services within the organization for long-term archival and auditing as well as monitoring the activity in all accounts for threats and vulnerabilities. In the security OU, AWS Control Tower implements a centralized log store (Log Archive) for logs and a centralized audit account (Audit) for auditor access and security tooling.

**Note**  
You might have customized these default account and OU names while setting up your landing zone in AWS Control Tower.

Logging, monitoring, and alerting are important components of an AWS Control Tower landing zone. Some functionalities are automatically launched when you set up the landing zone, and you can add other functionalities later for a more comprehensive landing zone monitoring solution.

**Topics**
+ [Logging](logging.md)
+ [Storage](storage.md)
+ [Auditing and alerting](auditing.md)

# Logging
<a name="logging"></a>

The Log Archive account serves as a centralized repository for aggregating logs of API activities (by using AWS CloudTrail) and resource configurations (by using AWS Config) across all accounts within the landing zone. Furthermore, you can centralize other logs from across your organization, such as Amazon CloudWatch, Amazon S3 access logs, and VPC Flow Logs, in this account. The Log Archive account seamlessly integrates with AWS Control Tower to automatically capture and record actions and events. This includes actions initiated from both the management account and member accounts. For comprehensive guidance, see [Logging and monitoring in AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/logging-and-monitoring.html) in the AWS Control Tower documentation.

Centralized logging in AWS Control Tower provides numerous benefits, including:
+ Integration of security services to audit the logs and automate alerts and remediations
+ Adherence to compliance and regulatory standards that require you to keep a record of all activities in your environment
+ Centralized visibility into all activities across accounts to enable rapid troubleshooting and aid in forensic analysis during security incidents
+ Support for growing log volumes and cost-effective, long-term storage solutions

**Note**  
To further enhance your centralized logging solution, you can use AWS solutions such as [Centralized Logging with OpenSearch](https://aws.amazon.com/solutions/implementations/centralized-logging-with-opensearch/), which provides capabilities to ingest, process, and visualize both application logs and AWS service logs.

The following table provides an overview of the logs that you can set up for your landing zone, as an example of a table that you can use in your landing zone design document. You can extend this table with additional log solutions according to your landing zone requirements. For more guidance about the security logs to include in the Log Archive account, see the [AWS Security Reference Architecture](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/log-archive.html).


| **Logging service** | **Description** | **Build approach** | **Location** | 
| --- |--- |--- |--- |
| AWS CloudTrail** **and AWS Config | AWS Config logs configuration activity  in the resources it supports. CloudTrail logs API calls, console access, and logins. Logs from all accounts are aggregated in the Log Archive account. | Automatically enabled and set up by AWS Control Tower for all accounts in the landing zone. | S3 bucket in the Log Archive account. | 
| Amazon CloudWatch | CloudWatch monitors resources and applications in the environment in real time. CloudWatch collects and tracks metrics for resources and applications. | We recommend that you set up CloudWatch for all required AWS resources. | S3 bucket configuration details are provided with the workloads. | 
| Amazon S3 access logs | Amazon S3 access logging provides detailed records for requests made to an S3 bucket. AWS Control Tower automatically sets up Amazon S3 access logging in the S3 bucket for CloudTrail and AWS Config.For information about Amazon S3 access logging, see [Logging requests using server access logging](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html) in the Amazon S3 documentation. | Automatically enabled and set up by AWS Control Tower in the S3 bucket for CloudTrail and AWS Config. | S3 bucket in the Log Archive account. | 
| Elastic Load Balancing (ELB) access logs | ELB access logs capture detailed information about requests sent to your load balancer. These logs can be collected in all member accounts that have load balancers and centralized in the Log Archive bucket.For more information about ELB access logging, see [Access logs for your Network Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html) and [Access logs for your Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html) in the ELB documentation. | We recommend that you set up access logs for all ELB resources. | S3 bucket in the Log Archive account. | 
| VPC Flow Logs | VPC Flow Logs captures information about IP traffic going to and from network interfaces in the VPC. These logs are locally stored in each member account and can be used for troubleshooting and analysis.For more information about this feature, see [VPC Flow Logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html) in the Amazon VPC documentation. | We recommend that you use an CloudFormation script to enable VPC Flow Logs when you set up a VPC in each account. | Locally sent to CloudWatch in each account. The retention period for these logs should be three days. | 

# Storage
<a name="storage"></a>

The storage solution in the Log Archive account is implemented by using Amazon Simple Storage Service (Amazon S3). AWS Control Tower automatically sets up and manages the S3 buckets for AWS Control Tower according to AWS best practices.

The following table summarizes the storage configurations that you can configure in your landing zone. You should extend this table with additional storing solutions according to your landing zone requirements.


| **Account** | **S3 bucket name** | **Description** | **Encryption** | **Lifecycle rules** | **Bucket policy** | **Created by AWS Control Tower?** | 
| --- |--- |--- |--- |--- |--- |--- |
| Log Archive | `aws-controltower-logs-*` | This bucket is created by AWS Control Tower and centralizes all AWS CloudTrail and AWS Config logs from all member accounts in your organization.Inside the bucket, files are kept in subdirectories that use the same account ID as the directory name. | Default encryption using SSE-S3 (AES-256) | The default retention period is 1 year. You can use [AWS Control Tower customized log retention](https://aws.amazon.com/about-aws/whats-new/2022/08/aws-control-tower-customized-log-retention/) to extend log retention up to 15 years.    | Default bucket policy is applied. | Yes | 
| Log Archive | `aws-controltower-s3-access-logs-*` | This bucket is created by AWS Control Tower and collects the access logs of the first `aws-controltower-logs-*` S3 bucket.                                        | Default encryption using SSE-S3 (AES-256) | The default retention period is 10 years. You can use [AWS Control Tower customized log retention](https://aws.amazon.com/about-aws/whats-new/2022/08/aws-control-tower-customized-log-retention/) to extend log retention up to 15 years.               | Default bucket policy is applied. | Yes | 
| Shared Services | `aws-shared-services` | This S3 bucket is used to store the Amazon Machine Images (AMIs) for the landing zone. | Encryption using SSE-S3 (AES-256) | None. | Only accounts in the organization have access. | No | 

## Encryption
<a name="encryption"></a>

Encryption is automatically enabled during landing zone setup for the S3 buckets that contain AWS Control Tower logs and access logs.

The S3 buckets for centralized logs should be encrypted at rest by using [server-side encryption with Amazon S3 managed keys (SSE-S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html). This option encrypts each object with a unique key by using 256-bit Advanced Encryption Standard (AES-256) encryption. As an additional safeguard, Amazon S3 encrypts the key itself with a management key that it regularly rotates.

You can also use server-side encryption with AWS Key Management Service (AWS KMS) keys. For more information, see the *Server-side encryption with AWS KMS keys (SSE-KMS)* section of [Protecting data using server-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html) in the Amazon S3 documentation. To configure AWS Control Tower to use a customer managed key (instead of the default AWS managed key), review the section [Optionally configure AWS KMS keys](https://docs.aws.amazon.com/controltower/latest/userguide/configure-kms-keys.html) in the AWS Control Tower documentation. 

# Auditing and alerting
<a name="auditing"></a>

The Audit account is tailored for auditors and security administrators. In this account, you can give auditors read-only access to all accounts in the organization, so they can conduct thorough reviews. Additionally, the Audit account can be the delegated administrator for several security services that monitor the accounts in the organization for threats and compliance.

Centralizing auditing and security services in a central AWS account offers numerous benefits, including:
+ It isolates security functions from production workloads, to help collectively ensure robust and efficient security, compliance, and resource management across the organization's AWS environment.
+ It simplifies visibility, security management, and incident response from one central place.
+ It provides cost efficiency by eliminating redundancies.
+ It enables automated remediations and alerts.

**Note**  
When you set up alerts, you should also consider automating remediation actions by using AWS Config Rules, AWS Lambda functions, and AWS Systems Manager Automation documents.

The following table shows a recommended list of services to help manage and secure your landing zone. You should extend this table with additional monitoring solutions according to your landing zone requirements. For more guidance on security tooling you can include in the Audit account, see the [AWS Security Reference Architecture](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/security-tooling.html).


| **Type** | **Description** | **Monitoring setup** | **Notification setup** | 
| --- |--- |--- |--- |
| Control compliance notifications | Provides notifications when there is drift in AWS Control Tower control compliance. | AWS Control Tower has an `aws-controltower-AggregateSecurityNotifications` SNS topic in the Audit account. | You should set up notifications after you create the AWS Control Tower landing zone to ensure that you can catch controls that are not compliant and in need of remediation.Note: You can [automatically remediate non-compliant resources by using AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/remediation.html). | 
| Threat detection (Amazon GuardDuty) | Monitors VPC Flow Logs, CloudTrail, and DNS logs to detect suspicious or unexpected behavior in the accounts (for example, backdoor access, trojan programs, or unauthorized access).For more information, see the [Amazon GuardDuty documentation](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html). | We recommend that you set up and configure GuardDuty when you create the landing zone. | You should set up notifications after setting up GuardDuty to ensure that you receive alerts for potential threats to remediate.Note: You can [integrate GuardDuty findings with AWS Security Hub CSPM](https://docs.aws.amazon.com/guardduty/latest/ug/securityhub-integration.html). | 
| Security and compliance monitoring (AWS Security Hub CSPM) | Brings together security findings from multiple AWS services and third-party sources into a single centralized dashboard to help proactively identify and address security issues, vulnerabilities, and compliance concerns.For more information, see the [AWS Security Hub CSPM documentation](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html). | We recommend that you set up and configure Security Hub CSPM when you create the landing zone. | You should set up notifications after setting up Security Hub CSPM to ensure that you receive alerts for potential vulnerabilities to remediate.Note: You can [automate remediation in Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cloudwatch-events.html). | 
| Root user activity | Sends notifications when an account is accessed by the root user through the AWS Management Console. | We recommend that you set up an Amazon CloudWatch Events rule to monitor the `userIdentity` element in CloudTrail for root logins. | If there is root user account activity, CloudWatch Events writes to an SNS topic.For more information and an CloudFormation script that you can use to set up this monitoring, see [How do I create an EventBridge event rule to notify me that my AWS root user account was used?](https://repost.aws/knowledge-center/root-user-account-eventbridge-rule) in the AWS Knowledge Center. | 
| Billing alerts | Sends billing alerts if the cost and usage of AWS services exceeds your budget threshold. | We recommend that you set up a monthly customized budget that specifies a threshold that can be tracked by [AWS Budgets](https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-managing-costs.html). | AWS Budgets generates an alert by using Amazon Simple Notification Service (Amazon SNS) if the budget threshold is exceeded.You can use CloudFormation stacks and an CloudFormation template to set notifications at the organization or OU level. You can also choose to automatically apply this check to new accounts. For more information, see the [AWS::Budgets::Budget resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-budgets-budget.html) in the CloudFormation documentation. | 

**Note**  
You can configure Amazon SNS to send out security alerts from the services listed in the table. The alerts can be sent to either one centralized email (if you have one single security team responsible), or to multiple emails (if different parts of your security organization are responsible for different services).